summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorRichard Moore <rich@kde.org>2011-11-14 21:56:40 (GMT)
committerPeter Hartmann <peter.hartmann@nokia.com>2011-11-15 12:49:52 (GMT)
commited4d47fde11bf1bded55394358b19ceedb1d5768 (patch)
treeb1bdc3d18fd3a48a63a7d42d7fe8d047a4a323d3 /src
parent32e931b40edf4dc53424f3435d22f5c6419182f5 (diff)
downloadQt-ed4d47fde11bf1bded55394358b19ceedb1d5768.zip
Qt-ed4d47fde11bf1bded55394358b19ceedb1d5768.tar.gz
Qt-ed4d47fde11bf1bded55394358b19ceedb1d5768.tar.bz2
Add the ability to do unsafe SSL renegotiation as a fallback.
This commit adds the ability to perform legacy SSL renegotiation as a fallback via QSsl::SslOptions. This is something that used to work, but has been disabled by default in newer versions of openssl. The need for this has been reported by users (eg. in QTBUG-14983). Change-Id: I5b80f3ffd07e0c5faddc469f6a8f857bac5740f7 Reviewed-by: Corentin Chary <corentin.chary@gmail.com> Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com> (cherry picked from commit 75b2a4960b753766ea2eec4dbd34c67733ca8089)
Diffstat (limited to 'src')
-rw-r--r--src/network/ssl/qssl.cpp8
-rw-r--r--src/network/ssl/qssl.h3
-rw-r--r--src/network/ssl/qsslconfiguration.cpp2
-rw-r--r--src/network/ssl/qsslconfiguration_p.h3
-rw-r--r--src/network/ssl/qsslsocket_openssl.cpp8
5 files changed, 20 insertions, 4 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index b556328..01297c9 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -141,9 +141,15 @@ QT_BEGIN_NAMESPACE
\value SslOptionDisableServerNameIndication Disables the SSL server
name indication extension. When enabled, this tells the server the virtual
host being accessed allowing it to respond with the correct certificate.
+ \value SslOptionDisableLegacyRenegotiation Disables the older insecure
+ mechanism for renegotiating the connection parameters. When enabled, this
+ option can allow connections for legacy servers, but it introduces the
+ possibility that an attacker could inject plaintext into the SSL session.
By default, SslOptionDisableEmptyFragments is turned on since this causes
- problems with a large number of servers, but the other options are disabled.
+ problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+ is also turned on, since it introduces a security risk. The other options
+ are turned off.
Note: Availability of above options depends on the version of the SSL
backend in use.
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 453d4da..571aa1f 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -87,7 +87,8 @@ namespace QSsl {
SslOptionDisableEmptyFragments = 0x01,
SslOptionDisableSessionTickets = 0x02,
SslOptionDisableCompression = 0x04,
- SslOptionDisableServerNameIndication = 0x08
+ SslOptionDisableServerNameIndication = 0x08,
+ SslOptionDisableLegacyRenegotiation = 0x10
};
Q_DECLARE_FLAGS(SslOptions, SslOption)
}
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index e24076e..727130b 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -201,7 +201,7 @@ bool QSslConfiguration::isNull() const
d->privateKey.isNull() &&
d->peerCertificate.isNull() &&
d->peerCertificateChain.count() == 0 &&
- d->sslOptions == 0);
+ d->sslOptions == QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation);
}
/*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index b83edb9..a711eeb 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -82,7 +82,8 @@ public:
QSslConfigurationPrivate()
: protocol(QSsl::SecureProtocols),
peerVerifyMode(QSslSocket::AutoVerifyPeer),
- peerVerifyDepth(0)
+ peerVerifyDepth(0),
+ sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
{ }
QSslCertificate peerCertificate;
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 3942209..5f520f7 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -298,6 +298,14 @@ init_context:
else
options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+ // This option is disabled by default, so we need to be able to clear it
+ if (configuration.sslOptions & QSsl::SslOptionDisableLegacyRenegotiation)
+ options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ else
+ options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#endif
+
#ifdef SSL_OP_NO_TICKET
if (configuration.sslOptions & QSsl::SslOptionDisableSessionTickets)
options |= SSL_OP_NO_TICKET;